Please be informed that your personal data will be processed by Materassificio Montalese S.p.A. (hereinafter “Data Controller”), with headquarters in Agliana (PT) – Italy, Via Prato, no. 16, Postal Code 51031, VAT registry number: 01239420472, in compliance with the above-mentioned law.
THE LIST OF THOSE IN CHARGE OF THE PROCESSING OF PERSONAL DATA IS AVAILABLE AT OUR OFFICES.
Your data will be processed as indicated below:
1. Object of the data processing
2. Purpose of the data processing
Your personal data will be processed:
A. Without your consent, (Art. 6 letters b) and e) GDPR 2016/679) for the following purposes:
• obligations established by Italian and EU laws and compliance with the provisions issued by the Data Protection Authority
• the performance of the contract you have undersigned.
B. Only after receiving your specific consent (Art. 7 GDPR no. 2016/679) for the following purposes:
• direct marketing, such as sending – also via e-mail or text messages – advertising material or information on offers concerning products or services provided and/or promoted by the Data Controller or by its business partners.
• individual or aggregate profiling and market research aimed, for example, at analyzing consumer habits and choices, at processing statistics on such trends or at assessing customer satisfaction of products and services offered.
3. Provision of data
Provision of your data as per the second point of letter A is mandatory. Therefore, your refusal could imply the non-performance or partial performance of the contract and/or the interruption or partial continuation of our relationship. The provision of your data as per the second point of letter B is optional. Therefore, you may at any time exercise the right specified in point 9 of letters a), b), c), d), e), f), g), h), i).
4. Data processing methods
The processing of your personal data is achieved by means of the operations indicated in Article 4, no. 2 GDPR no. 2016/679 and specifically: collection and recording, organization, storage, consultation, erasure and dissemination of the data. The processing of your data will be based on the principles of propriety, lawfulness and transparency. For the purpose of memorizing, managing and disclosing by transmission the data, the operations may also be performed by automated means, mutatis mutandi and at the current technological level, designed to guarantee safety and confidentiality through the use of procedures which prevent the risk of losing data, its illegal use and dissemination, and unauthorized access. Your personal data will be subject to both conventional hard copy and digitalized document.
5. Data storage period
The Data Controller will process your personal data for the time necessary to fulfill the above mentioned purposes and to however perform the contract. At the end of this storage period your data will be destroyed or made anonymous.
6. Access to data
Your personal data processed by the Data Controller will not be disclosed or made accessible to any person in any format, not even for a simple consultation. Instead, they may be disclosed to Data Controller employees and to third-party subjects. Lastly, they may be disclosed to persons entitled to their access according to Italian and EU laws and regulations.
In particular, according to their role and tasks, some Data Controller employees have been authorized to process personal data within the limits of their capacity and as instructed by the Data Controller. Access to the data and/or the request for it to be transferred will be granted/fulfilled withing maximum 30 days, save hindrances and/or difficulty in such operations. A fee based on administrative costs will be charged for the issuing of extra copies of the processed personal data.
7. Data disclosure
Without the need to express your consent (Art. 6 lett. b) – c) and Art. 13 lett. e) GDPR no. 679/2016) the Data Controller may disclose your data for the aforementioned purposes to security agencies, law authorities as well as all other persons to whom the disclosure of personal data is a legal obligation. For example, your data may be disclosed to:
• Agents and external persons who collaborate with the company;
• Subsidiaries and associated companies;
• Banks and banking companies;
• Service suppliers (e.g. suppliers of IT systems, cloud service and database, as well as consultants).
An updated list of persons in charge of data processing is at your disposal at our offices and may be supplied upon request.
8. Portability of personal data
Your personal data will be managed and stored on servers located in the EU belonging to the Data Controller and/or to third-party companies formally entrusted with the processing of personal data. The Data Controller servers are currently located in Italy. Your personal data will not be transferred outside of the EU. However, it is understood that the Data Controller may move its servers to other locations in Italy and/or the EU and/or to countries outside the EU if deemed necessary. In this case, the Data Controller will ensure that your data is transferred to non-EU countries in compliance with the relevant laws.
9. Your rights
Article 15 of the GDPR no. 2016/679 and following specify your rights, and more specifically:
a) right of access to your data (Art. 15); in other words, you may obtain from the Controller confirmation as to whether or not your personal data are being processed, and, where that is the case, be granted access to them;
b) right to rectification (Art. 16); in other words, obtain from the controller without undue delay the rectification of inaccurate personal data;
c) right to erasure (Art. 17); in other words, obtain from the controller the erasure of your personal data without undue delay;
d) right to restriction of processing (Art. 18); in other words, obtain confirmation from the controller that your personal data is being processed solely for the purpose of its storage;
e) right to data portability (Art. 20); in other words, receive from the controller the data you have provided in a structured, commonly used and machine-readable format;
f) right to object (Art. 21); in other words, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data;
g) as regards automated individual decision-making (Art. 22), you have the right not be subject to a decision based solely on automated processing, including profiling, without your explicit consent;
h) right to erasure (Art. 17); in other words, aside from the right to obtain from the controller the erasure of your personal data, you may also withdraw the consent on which the processing is based;
i) right to lodge a complaint with the supervisory authority (Art. 77); in other words, you may file a complaint with the authority if you think the processing of your personal data infringes the Regulation.
10. Data Breach and notification to the Italian Data Protection Authority and/or communication of the breach to the person concerned
In case of data breach – meaning a breach of security that leads to the accidental destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed – in which the rights and freedom of persons may be at risk or are at high risk, the Data Controller shall notify the Data Protector Authority without undue delay and in any case within 72 hours, providing information on the nature of the breach, the number of persons involved and the data category concerned. The name and contact of the DPO shall also be provided.
11. How to exercise your rights
You may exercise the aforementioned rights at any time and in the following ways:
• By sending a letter by registered mail with a return receipt to: Materassificio Montalese S.p.A., Via Prato, no. 16, Postal Code. 51031 – Agliana (PT) -Italy.
• Or by emailing us at email@example.com